https://rancher.com/ logo
#rke2
Title
# rke2
b

bright-whale-83501

09/19/2022, 6:04 PM
cross post frrom #rke But here it goes: I'm installing RKE2 agent on a windows worker. Should I just use the URL given from ranchers custom cluster -> registration. Or should I follow instructions from https://docs.rke2.io/install/windows_airgap/ (I cant find any other installation documentation for the agent)
c

creamy-pencil-82913

09/19/2022, 6:07 PM
When you say the custom cluster registration URL, you mean the one that lets you download the Rancher installation manifest for application to the downstream cluster?
RKE2 agents should be pointed at an RKE2 server, not at Rancher.
b

bright-whale-83501

09/19/2022, 6:13 PM
I mean cluster management -> clusters -> registration. Step 2, I copy the url with curl.exe and paste it into my windows worker.
wins-agent-install.ps1
c

creamy-pencil-82913

09/19/2022, 6:27 PM
yes, that should work, if you’re using Rancher for provisioning
the RKE2 docs don’t cover Rancher provisioning. They only cover standalone RKE2 clusters. Rancher docs in Rancher docs, RKE2 docs in RKE2 docs.
b

bright-whale-83501

09/19/2022, 6:29 PM
I do. But I've had a horrible time getting things to work. Biggest problem is our self signed CA, I pass --insecure to rancher but it does not matterr. So I swapped out curl.exe in windows with 2 releases newer, and that version accept our ca, if I rebuild the cerrtificate-bundle in windows.
But the installation process ends up in a loop right after calico cni have been brought alive. kubelet.exe are extracted again, and cant be replaced on the disk, since kubelet.exe are already executing in windows.
If I manually kill that process and delete kubelet.exe, the installer continues. But ends up in a loop
Looking at the logs in windows I think this is the main error, but I dont know how/where to poke to solve it: "Cluster CA certificate is not trusted by the host CA bundle, but the token does not include a CA hash. Use the full token from the server's node-token file to enable Cluster CA validation"
Amazing. I think I solved the last hurdle. I added --insecure into the part that downloads kubeconfig from rancher.
it's very strange. Even thou I run my own curl.exe, that have curl-ca-bundle.crt in the same folder it did not accept our CA. All previous curl.exe calls, utilize curl-ca-bundle.crt, For the record, its function Get-RancherConnectionInfo that I needed to add --insecure into
c

creamy-pencil-82913

09/19/2022, 7:08 PM
ah yeah, there may be issues with proxies and custom CAs on Windows. I know that the golang crypto libs don’t make it easy to interact with the Windows certificate store.
b

bright-whale-83501

09/19/2022, 7:28 PM
its curl.exe that (this time) didnt play with the certstore, at all
most google hits, gladly tell you to just add -k or --insecure. But I wanted to pass my ca cert. Almost worked